Validation of Mixed Signal-Alpha Real-Time Systems through Affine Calculus on Clock Synchronisation Constraints

(1)

HAL Id: hal-00548887

https://hal.archives-ouvertes.fr/hal-00548887

Submitted on 20 Dec 2010

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Validation of Mixed Signal-Alpha Real-Time Systems through Aﬀine Calculus on Clock Synchronisation

Constraints

Irina Smarandache, Thierry Gautier, Paul Le Guernic

To cite this version:

Irina Smarandache, Thierry Gautier, Paul Le Guernic. Validation of Mixed Signal-Alpha Real-Time Systems through Aﬀine Calculus on Clock Synchronisation Constraints. World Congress on Formal Methods in the Development of Computing Systems (FM’99), Sep 1999, Toulouse, France. pp.1364- 1383, �10.1007/3-540-48118-4_22�. �hal-00548887�

(2)

Validation of Mixed

^Signal

-

^Alpha

Real-Time Systems through Ane Calculus on Clock

Synchronisation Constraints

Irina M. Smarandache

¹

, Thierry Gautier

²

, and Paul Le Guernic

²

1

The University of Reading, Department of Computer Science Whiteknights, PO Box 225, Reading RG6 6AY, United Kingdom

Tel.: (44) 118 931 8611 (7626), Fax: (44) 118 975 1994

I.M.Smarandache@reading.ac.uk

2

IRISA-INRIA, Campus de Beaulieu, 35042 Rennes Cedex, France

Thierry.Gautier@irisa.fr, Paul.LeGuernic@irisa.fr

Abstract.

In this paper we present the ane clock calculus as an exten- sion of the formal verication techniques provided by the

^Signal

lan- guage. A

^Signal

program describes a system of clock synchronisation constraints the consistency of which is veried by compilation (clock cal- culus). Well-adapted in control-based system design, the clock calculus has to be extended in order to enable the validation of

^Signal

-

^Alpha

ap- plications which usually contain important numerical calculations. The new ane clock calculus is based on the properties of ane relations in- duced between clocks by the renement of

^Signal

-

^Alpha

specications in a codesign context. Ane relations enable the derivation of a new set of synchronisability rules which represent conditions against which syn- chronisation constraints on clocks can be assessed. Properties of ane relations and synchronisability rules are derived in the semantical model of traces of

^Signal

. A prototype implementing a subset of the synchro- nisability rules has been integrated in the

^Signal

compiler and used for the validation of a video image coding application specied using

^Signal

and

^Alpha

.

1 Introduction

Real-time systems, and more generally reactive systems [4], are in continuous interaction with their environment. Therefore, they must respond in time to external stimuli. Moreover, real-time systems must be safe, thus one would wish to prove their correctness. Time constraints and safety are two important aspects to be considered in the design of a real-time application.

Real-time systems may be constrained by very tight real-time deadlines.

Moreover, a hardware implementation of parts of these systems is sometimes

required, to meet specic constraints for instance. An example is an application

consisting of numerical calculations performed iteratively on large structures of

regular multidimensional data. In this case, a hardware/software implementation

may be envisaged, in which the numerical calculations are conveyed to hardware

(3)

for eciency reasons, while the control relating these parts is implemented in software.

In general, designing a mixed hardware/software real-time system requires a rigorous methodology that comprises methods and tools addressing, among oth- ers, system specication and validation, optimal code generation and hardware synthesis. These aspects are dealt with in codesign [7] [9] which denotes the spec- ication, validation and implementation of an application which consists both of a hardware part, in the form of a set of specialised integrated circuits, and a software part implemented on general programmable processors. The idea is to explore various possible implementations of hardware/software systems in order to improve their performance and to ensure the respect of cost constraints.

1.1 Real-Time System Codesign

System codesign is a complex process which can be decomposed into three main activities [7]: 1. The cospecication of an application at various levels of abstrac- tion; 2. The validation of a specication by formal verication or simulation, also known as cosimulation; 3. The hardware/software partitioning of an application, the evaluation of a partitioning from the point of view of the time constraints and cost, the generation of executable code, the synthesis of hardware, and the production of the interface between hardware and software, i.e cosynthesis. A lot of work has been done, the purpose of which was to dene a well-structured methodology for codesign [7] [11] [19]. An important point was generally the description of both hardware and software using the same language, like for in- stance

^Vhdl

enhanced with mechanisms for calling

^C

functions [14], or high-level languages like

^C

,

^C++

or

^For^tran

extended with facilities for the description of hardware systems [10]. These approaches enable the programming of both the hardware and software parts of a system in a unique framework and their vali- dation by simulation. However, they cannot guarantee system correctness. This aspect can be much improved by using formal languages for system specication, renement of specications towards lower levels of abstraction (implementation) and validation of the various specications by formal verication.

Dening a complete methodology of codesign requires addressing other rel- evant problems, most of them concerning cosynthesis. Among these problems there are the automatic partitioning into hardware and software, the synthesis of hardware and the generation of optimal code for software implementation.

The work presented in this paper is part of a more general eort for building a hybrid framework in which the

^Signal

[12] [13] and

^Alpha

[20] languages can be used for real-time system codesign.

1.2 Cospecication and Cosimulation of

^Signal

-

^Alpha

Systems

Signal

is a synchronous [4] language developed for the specication, validation

and implementation of real-time systems.

^Signal

variables represent nite or

innite sequences of values (data) which can be ltered or merged before being

submitted to classical boolean or mathematical operations. A clock is implicitly

(4)

associated with each

^Signal

variable: it represents a set of temporal indices which denote the logical instants where the variable is present and has a value.

The semantics of a

^Signal

program can be described by a system of constraints (relations) on clocks and values, which is constructed and veried for consistency during compilation. The verication of the clock constraints is called clock cal- culus. The

^Signal

environment is enhanced with tools for

^C

[5] and

^Vhdl

[3]

code generation and formal verication of dynamic properties [2].

In its present form,

^Signal

is well-adapted for the design of control-based real-time systems. Firstly, this is due to its limitations concerning the treatment of computations on multidimensional data such as matrices. Only simple algo- rithms can be expressed in

^Signal

and no signicant optimisation is performed at the level of the generation of executable

^C

or

^Vhdl

code concerning vectors.

In contrast with

^Signal

, the

^Alpha

language has been developed primarily for the specication and implementation of algorithms on multidimensional data.

Such algorithms can be described in

^Alpha

using ane recurrence equations over convex polyhedral domains [20] and be further transformed for optimal hardware or software implementation on parallel or sequential architectures [21].

Given their complementary properties, the

^Signal

and

^Alpha

languages can be used jointly for the design of real-time systems containing important numerical calculations on multidimensional data and control: numerical compu- tations are expressed in

^Alpha

and the control is conveyed to

^Signal

. When the real-time requirements of the system are very tight, a mixed hardware/software implementation may be envisaged. In [9] we propose a hybrid framework for the combined use of

^Signal

and

^Alpha

in real-time system codesign. In order for this framework to be operational, it is necessary to interface

^Signal

and

^Alpha

programs both at the functional and architectural level. The former corresponds to a high-level mathematical representation of an algorithm in

^Alpha

, while the latter contains a set of new temporal indices corresponding to the execution of the algorithm on a parallel or sequential architecture.

In

^Signal

-

^Alpha

systems, the renement of an

^Alpha

program from a functional level to an architectural level oriented toward a particular implemen- tation also induces a renement of the temporal indices in

^Signal

. The new time indices are obtained through ane transformations on the instants of time of the initial

^Signal

specication. Consider clocks

^c

and

^c¹

in

^Signal

which are identical at the functional level (they are also denoted as synchronous). Af- ter renement, their relative position is such that clock

^c¹

can be obtained by an ane transformation applied to clock

^c

: the instants of time of

^c

and

^c¹

, denoted respectively

^T

and

^T¹

, can be described by a pair of ane functions

T

=

^fnt

+

^'¹^j ^t²^T^g

,

^T¹

=

^fdt

+

^'² ^j^t²^T^g

, on the same set of instants

^T

. With

^'

=

^'² ^'¹

, we will say that clock

^c¹

is obtained by an (

^n;^';^d

)-ane transformation applied to clock

^c

, where

^n;^d ²

IIN

the set of strictly positive integers and

^'²⁶

Z the set of integers. Clocks

^c

and

^c¹

are also said to be in an (

^n;^';^d

)-ane relation.

Clocks obtained by ane transformation may be re-synchronised at the ar-

chitectural level. As an example, consider clocks

^c

,

^c¹

and

^c²

which are identical

(5)

in the

^Signal

functional specication. At the architectural level, clocks

^c¹

and

c

2

have been transformed such that

^c

,

^c¹

and

^c

,

^c²

are respectively in ane relations of parameters (

ⁿ¹^;^'¹^;^d¹

) and (

ⁿ²^;^'²^;^d²

). Whether clocks

^c¹

and

^c²

can be re-synchronised depends on the properties of the ane relations which are induced from the values of (

ⁿ¹^;^'¹^;^d¹

) and (

ⁿ²^;^'²^;^d²

). Moreover, the rela- tions between

^c

,

^c¹

and respectively,

^c

,

^c²

may be expressions on (

^n;^';^d

)-ane relations constructed using operations like composition, union, etc. In this case, the re-synchronisation of clocks

^c¹

and

^c²

depends on the properties of these operations.

The

^Signal

clock calculus performs the verication of clock synchronisation constraints using a set of synchronisability rules, i.e. conditions against which these constraints can be assessed. The current clock calculus depends on boolean equation resolution methods [5] [1] which have been successfully used for the val- idation of numerous control-based real-time applications. However, in order to validate mixed

^Signal

-

^Alpha

systems as presented above, it is necessary to ex- tend the current clock calculus with a set of synchronisability rules deduced from the properties of (

^n;^';^d

)-ane relations. The new set of rules denes the ane clock calculus, which constitutes the main topic of this paper. We explore the space of (

^n;^';^d

)-ane relations and study to which extent it is closed under the main operations that can be performed on ane relations. Following this study, we dene a set of synchronisability rules which, although incomplete, enables the validation of the principles underlying the cospecication and cosimulation using

^Signal

and

^Alpha

. The semantical model of traces of

^Signal

[12] [16]

constitutes the support for the study of the properties of ane relations and for the denition of the new synchronisability rules.

1.3 Organisation of the Paper

In Section 2 we present the integration of

^Signal

and

^Alpha

for system code- sign. Section 3 is the central core of this paper and is dedicated to the denition and implementation of the ane clock calculus. The main concepts useful for this purpose are progressively introduced: these are the model of traces of the

Signal

language, the properties of ane relations on clocks, the set of synchro- nisability rules induced by the latter, and nally the necessary elements for the integration of the ane clock calculus in the compiler. The ane clock calculus has been applied to the cospecication and cosimulation of a video image coding application; this is briey illustrated in Section 4. In the same section we discuss in which way the

^Signal

and

^Alpha

environments may further contribute to the development of a complete codesign methodology based on both languages.

Finally, in Section 5 we present conclusions and perspectives of our work.

2

^Signal

and

^Alpha

in Real-Time System Codesign

Figure 1 summarizes the main elements of the environments around

^Signal

and

Alpha

that make both languages well-adapted for real-time system codesign.

(6)

Signal

and

^Alpha

programs represent mathematical notations for the proper- ties of the processes they dene. The system of constraints on clocks and values associated with a

^Signal

program is transformed by compilation into a synchro- nised data ow graph (

^Sdfg

). This data structure constitutes the support for executable code generation (

^C

or

^Vhdl

) or verication of dynamic properties using the formal tool

^Sigali

[2].

The

^Alpha

compiler includes a powerful type checking mechanism based on the structure of an

^Alpha

variable as a function over convex polyhedra. The syntax tree obtained after compilation can be directly translated into

^C

code for functional simulation, or it can be transformed into a subset of

^Alpha

called

^Al-

pha0

which exhibits the details of a parallel or sequential implementation. The syntax tree in

^Alpha0

form can be further translated in

^C

or

^Vhdl

executable code or directly mapped on a netlist [21].

The interface between

^Signal

and

^Alpha

is based on the fact that both languages can be translated in

^C

and executed for functional simulation. Fur- thermore,

^Signal

oers the possibility to call external processes: such a process can be the specication of an algorithm in a language other than

^Signal

. A particular type of an external process is a function, the execution of which is considered instantaneous from the point of view of

^Signal

. A

^Signal

function can be a predened or a user-dened

^C

function.

Fig.1.Signal

and

^Alpha

in system codesign.

2.1 Functional Cospecication and Cosimulation

Being a synchronous language,

^Signal

is based on the following hypotheses [4]:

1. All actions (communications and calculations) in a system have zero logical

(7)

duration (the elapsed time is represented by the precedence of successive values on a same data ow); 2. Two or more actions can take place at the same logical instant, such actions being termed \simultaneous". From the point of view of the logical temporal properties of a system, only succession and simultaneity of instants are of interest. Although their exact time values are not considered, note however that they will be considered for a given implementation. The pro- cess associated with a

^Signal

program represents thus a succession of logical instants, with each instant being associated one or more actions considered of zero logical duration and involving process variables present at that instant.

Consider for example a coding system for sequences of video images at 34 Mbits/s [8]. A system of this type consists of a set of numerical treatments applied iteratively on images of the same dimension. Images are divided into luminance and chrominance blocks and treatments are applied to each block.

Numerical treatments consist mainly of algorithms for inter and intra image coding which require operations like a discrete cosine transformation (

^Dct

). In order to illustrate the interfacing between

^Signal

and

^Alpha

, we have isolated from the coding application a simple

^Signal

program and have illustrated the associated process in Fig. 2. It consists of a

^Dct

operation applied in sequence to dierent values

^Aⁱ

of the matrix of pixels

^A

present at each logical instant of time

t

i

. The matrix

^A

corresponds to a block of luminance or chrominance of an image.

The

^Dct

can be expressed in

^Signal

as

^B

:=

^Dct

(

^A

), where

^Dct

is actually an external process. The

^Dct

is a time consuming algorithm, particularly for large matrices or when applied to images containing a large number of blocks. In order to improve the overall performance of the coding application, one would wish to execute each instance

^Bⁱ

:=

^Dct

(

^Aⁱ

) on a parallel integrated architecture as derived by the

^Alpha

environment.

The

^Dct

can be easily described in

^Alpha

. The

^Signal

-

^Alpha

cospecica- tion and cosimulation of the new system is made possible at the functional level as follows (see Fig. 2): 1. The

^Alpha

system is translated in executable

^C

code;

2. The

^C

function ALPHA C obtained at step 1 represents the external process implementing the

^Dct

in

^Signal

. The function ALPHA C is considered instan- taneous in

^Signal

; the clocks of the matrices

^A

and

^B

, denoted respectively by

c

and

^c¹

, are therefore synchronous. The overall system is thus represented as a

^Signal

specication executing instantaneously the functional description of the

^Alpha

specication. The system can be validated in the

^Signal

environ- ment by formal verication (compilation, model checking with

^Sigali

) and/or simulation.

2.2 Implementation-oriented Cospecication and Cosimulation

A mixed

^Signal

-

^Alpha

specication at the functional level may be rened in order to take into consideration the details of a particular implementation. The

Alpha

program of Section 2.1 describing a

^Dct

may be submitted to a sequence

of transformations for a parallel or sequential implementation. These transfor-

mations guarantee the equivalence of the nal specication, noted ALPHA' in

Fig. 3, with the initial ALPHA system of Fig. 2. The system ALPHA' contains

(8)

Fig.2.Signal

-

^Alpha

interface at functional level.

the time indices corresponding to a particular scheduling of the

^Dct

operation.

In Fig. 3 these time indices are represented as the diagonal sets of micro-instants

t j

i

associated with each macro-instant

^tⁱ

.

The

^Signal

specication has to be rened accordingly in order to enable the validation of the overall system. Therefore, the micro-instants of time of ALPHA' are taken into consideration in the new process SIGNAL' and described as the sets of instants

^Stⁱ⁰

,

^S^tⁱ¹

, etc. (see Fig. 3). The

^C

function ALPHA' C has been derived from ALPHA' and transformed in order to describe the sequence of operations performed at each micro-instant of time.

Fig.3.Signal

-

^Alpha

interface at architectural level.

The regularity of

^Alpha

values manifests itself in

^Signal

in several ways.

First, the sets of micro-instants

^Stⁱ⁰

,

^Stⁱ¹

, etc. have the same cardinality. Also, successive values for

^B

are provided at specic micro-instants between any two successive macro-instants

^tⁱ

and

^tⁱ⁺¹

in a regular manner. This situation is il- lustrated in Fig. 4 where the clocks of matrices

^A

and

^B

, denoted respectively by

^c

and

^c¹

, are dened by the following instants of time:

^c

=

^f

0

^;

9

^;

18

^;^:::g

and

c

1

=

^f

6

^;

15

^;^:::g

(after providing the values

^Bⁱ

at the instants of time dened by

c

1

, the architecture implementing the operation

^Bⁱ

:=

^Dct

(

^Aⁱ

) may execute fur-

ther computations like initialisations for the next operation

^Bⁱ⁺¹

:=

^Dct

(

^Aⁱ⁺¹

)).

(9)

Fig.4.

Illustration of an ane relation.

In Fig. 4, clock

^c⁰

is dened by the set of instants

^f

0

^;

1

^;

2

^;

3

^;

4

^;

5

^;^:::g

. It can be noticed that clocks

^c

and

^c¹

are placed in a regular manner on the sup- port clock

^c⁰

: their relative position is such that

^c¹

has been obtained through an (9

^;

6

^;

9)-ane transformation applied to

^c

. By denition, clock

^c¹

is the re- sult of an (

^n;^';^d

)-ane transformation applied to clock

^c

if it can be obtained from

^c

through steps 1 and 2 as follows: 1. Constructing a new clock

^c⁰

as the union of

^c

with the set of instants obtained by introducing

ⁿ

1 ctive in- stants between any two successive instants of

^c

(and

^'

ctive instants before the rst instant of

^c

when

^'

is negative). 2. Dening the clock

^c¹

as the set of instants

^fdt

+

^'^j^t²^c⁰^g

, with

^c⁰

=

^ft^j^t²

IIN

^g

(in other words, counting ev- ery

^d

instant, starting with the

^'^th

instant of

^c⁰

, or with the rst instant of

c

0

when

^'

is negative). Clocks

^c

and

^c¹

are then said to be in an (

^n;^';^d

)- ane relation. The above denition can be expressed in an equivalent form as follows: clocks

^c

and

^c¹

are in (

^n;^';^d

)-ane relation if there exists a clock

c

0

such that

^c

and

^c¹

can be respectively expressed using the ane functions

t:

(

^nt

+

^'¹

) and

^t:

(

^dt

+

^'²

), with

^'² ^'¹

=

^'

, with respect to the time in- dices of

^c⁰

:

^c⁰

=

^ft^j^t²

IIN

^g

,

^c

=

^fnt

+

^'¹ ^j^t²^c⁰^g

,

^c¹

=

^fdt

+

^'² ^j^t²^c⁰^g

.

Properties on ane relations can be exploited in order to verify that clocks are synchronisable, that is, their sets of instants can be identied (re- synchronised). Consider (Fig. 2) a

^Signal

program which executes two succes- sive

^Dct

operations at each macro-instant

^tⁱ

, one on a luminance block of an image, noted

^B

:=

^Dct

(

^A

), and the second one on the next block of red chromi- nance of the same image, described by

^D

:=

^Dct

(

^C

).

Each

^Dct

function is expressed in

^Alpha

at the functional level and further rened according to a particular implementation. The

^Signal

specication is rened accordingly and we obtain the timing diagrams of Fig. 5: the clocks of

^A

and

^C

are synchronous and equal to

^c

, the clocks of

^B

and

^D

are respectively

c

1

and

^c²

, and the clocks

^c⁰

and

^c⁰⁰

describe the instants of the excution of the

Dct

functions on a potential architecture derived in the

^Alpha

environment.

In the functional

^Signal

-

^Alpha

specication, clocks

^c

,

^c¹

and

^c²

were syn-

chronous (see Section 2.1 for details). After renement of the time indices in

the

^Signal

-

^Alpha

specication, the clocks

^c¹

and

^c²

should be re-synchronised

in order to preserve the temporal properties of the whole application. Whether

the re-synchronisation of

^c¹

and

^c²

is possible given their relative position as

illustrated in Fig. 5, or after further adjustments of their time indices, can be

decided based on the properties of the ane relations existing between

^c

,

^c¹

(10)

Fig.5.

Synchronisable clocks in the context of codesign with

^Signal

and

^Alpha

. and

^c

,

^c²

respectively. Clocks

^c

,

^c¹

and

^c

,

^c²

are respectively in (9

^;

6

^;

9) and (7

^;

3

^;

7)-ane relation in the process SIGNAL'. The relation existing between the triplets (9

^;

6

^;

9) and (7

^;

3

^;

7) guarantees the equivalence of the corresponding ane relations. This will be detailed in Section 3. Informally, the equivalence of the above ane relations expresses the fact that the relative positions of clocks

c

and

^c¹

, respectively

^c

and

^c²

, are identical. Based on this observation, clocks

c

1

and

^c²

can be identied without contradicting the temporal behaviour of the other clocks in the

^Signal

program. The instants of time of clocks

^c⁰

and

^c⁰⁰

situated between two successive instants of

^c

and

^c¹

(or

^c²

) are independent and can be positioned with respect to each other in various manners; in Fig. 5 we have illustrated one possibility. Therefore,

^c¹

and

^c²

can be re-synchronised; we say that

^c¹

and

^c²

are synchronisable.

The aim of the ane clock calculus discussed in Section 3 is to dene neces- sary and sucient conditions for clock synchronisability based on the properties of ane relations on clocks. These conditions are expressed as a set of synchro- nisability rules and are derived in the semantical model of traces of

^Signal

. Section 3 begins with an introdution to these concepts.

3 Ane Calculus on Clocks in

^Signal

Figure 6 introduces the reader to the semantics of traces [12] [16] of

^Signal

. The most important concepts in

^Signal

are: 1. the signal, which denotes a variable of the language and represents a nite or innite sequence of values;

2. the clock, a variable associated with each signal which represents the set of

logical instants where the values of the signal are present.

^Signal

operators

manipulate signals by imposing implicit or explicit constraints on their values

and clocks. Constraints on clocks are usually expressed as identities between

(11)

clock expressions constructed using the operators of intersection (

^{^}

), union (

^_

) or dierence (

ⁿ

). Clocks can be also subsets of other clocks dened as samplings by boolean conditions. When no condition is explicitly or implicitly stated on a pair of clocks, they are independent.

Fig.6.

Illustration of

^Signal

semantics of traces.

A

^Signal

program describes a real-time system, which is in continuous inter- action with its environment. Input values are transformed corresponding to the actions of a given specication and the results are provided to the environment.

This situation is illustrated in Fig. 6 in the case of a program manipulating in- puts

^x

and

^y

and providing output

^z

depending on the values of

^x

and

^y

. In case

z

is the addition of

^x

and

^y

, signals

^x

,

^y

and

^z

are implicitly constrained by the + operator in

^Signal

to have the same clocks

^c^x

=

^c^y

=

^c^z

.

The congurations

^F

and

^F⁰

illustrated in Fig. 6 correspond to two dierent executions of the

^Signal

program, involving sequences

^xⁱ

,

^yⁱ

and

^zⁱ

and respec- tively

^x⁰ⁱ

,

^yⁱ⁰

and

^zⁱ⁰

. The set of all possible congurations, called traces, which can be exhibited during the execution of a

^Signal

program, denes completely the process

^P

associated with the program. Consider

^A

a subset of the set

^B

of signals manipulated by a program. A trace may contain instants with no action involving signals from

^A

. However, each instant of this type contains actions which involve other signals from the set

^BnA

. Given a subset

^A

of signals, a ow on

^A

is a trace with at least one action involving signals from

^A

for each logical instant. In the particular case of Fig. 6, if we consider the subset of signals to be

^fx;^y;^zg

, the traces illustrated are actually ows.

More generally, the process

^P

associated with a

^Signal

program is a set of

ows on the variables of the program. Each ow

^F

in

^P

is constrained by a system

of equations on the clocks and values of signals manipulated by

^P

. Equations

on values can be further expressed in the abstract form of a data dependency

graph (an example of a data dependency graph is illustrated in Fig. 6 for the +

(12)

operator). Besides the clock calculus, the compiler veries data consistency by checking the absence of cycles in the data dependency graph. In the next section however, we will concentrate mainly on the clock calculus.

3.1 Clock calculus & Synchronisability

The clock calculus is equivalent to the resolution of a system of clock equations.

For example:

c

=

^c¹

c

0

= (

^c¹^{^}^c²

)

^_^c¹

c

=

^c⁰

(1)

can be a system derived from a

^Signal

program which manipulates clocks

^c

,

^c⁰

,

c

1

and

^c²

. In this simple system,

^c¹

and (

^c¹^{^}^c²

)

^_^c¹

have clearly to be proved equivalent, which is an immediate consequence of the axioms of the boolean lattice. The space of clocks associated with a

^Signal

program is a boolean lattice [6] the properties of which are extensively used for the proof of equivalences. The resolution of the system is performed by triangularisation of the system [5] [1].

Given a boolean signal

^Cd

, its clock, denoted ^

^Cd

, can be partitioned into the clock [

^Cd

] where the signal

^Cd

is present and true and the clock [

^:Cd

] where

^Cd

is present and false (the clocks [

^Cd

] and [

^:Cd

] represent samplings by boolean conditions). The relations between clocks ^

^Cd

, [

^Cd

] and [

^:Cd

] are expressed by the partition equations below:

[

^Cd

]

^_

[

^:Cd

] = ^

^Cd

[

^Cd

]

^{^}

[

^:Cd

] =

^;

(2)

The axioms of the boolean lattice together with the partition equations induce on the space of clocks a lattice of an order

\coarser" than the order

of the boolean lattice [5]. Clocks can be boolean formulas constructed either with samplings by boolean conditions [

^Cd

], [

^:Cd

] or with free variables of the boolean lattice. The properties of the lattice of order

are actually used during the triangularisation of any system of clock equations.

The axioms of the lattice

represent a system of synchronisability rules in the sense described below. Clocks

^c

and

^c⁰

are synchronisable in the process

^P

, which is denoted by

^c ^P ^c⁰

, if there exists a ow

^F

in

^P

in which

^c

and

^c⁰

are synchronous:

c P

c 0

,9F 2P;c

=

F ^c⁰

(3)

(we note

^c

=

^F ^c⁰

the fact that

^c

and

^c⁰

are synchronous in

^F

).

Whenever the property expressed by equation 3 is valid for each ow

^F

in

^P

, the clocks

^c

and

^c⁰

are said to be synchronous in

^P

, which is denoted by

^c

=

^P ^c⁰

. This denition can be expressed as follows:

c

=

P ^c⁰^,^8F ²^P;^c

=

^F ^c⁰

(4)

(13)

Unless explicitly constrained through the

^Signal

program, clocks

^c

and

^c⁰

are completely independent in the associated

^P

process. Therefore, their relative position can be such that in some ows

^F

in

^P

they are identical, while in some other ows

^F⁰

in

^P

their instants interleave in an arbitrary manner: obviously, if

^c

and

^c⁰

are independent in

^P

, they are synchronisable. When the relative position of clocks

^c

and

^c⁰

is implicitly or explicitly constrained by the

^Signal

operators, ows

^F

in

^P

are subsequently constrained and the synchronisability of

^c

and

^c⁰

depends on these constraints.

In order to better understand the use of the synchronisability rules, consider for example a process

^P

derived from a

^Signal

program Prg in which clocks

^c

and

^c⁰

are dened by the rst two equations of the system (1):

c

=

^c¹

c

0

= (

^c¹^{^}^c²

)

^_^c¹

(5)

Program Prg may be transformed into Prg

⁰

in which an additional constraint has been expressed on clocks

^c

and

^c⁰

:

^c

=

^c⁰

(in the

^Signal

-

^Alpha

context, Prg could be part of a transformed

^Signal

-

^Alpha

specication, as seen above, and Prg

⁰

the same specication, in which clocks are resynchronised). Consider the process

^P⁰

corresponding to the program Prg

⁰

. The system of clock equations associated with Prg

⁰

is (1). Given the set of ows

^F⁰^P

such that

^c

=

^F ^c⁰

,

8F 2F

0

, it results

^P⁰

=

^F⁰

. Therefore, verifying the consistency of (1), which is equivalent to testing that clocks

^c

and

^c⁰

are equivalent in

^P⁰

, is further equivalent to testing the synchronisability of

^c

and

^c⁰

in

^P

. The rule (

^c¹^{^}^c²

)

^_^c¹

=

^c¹

from the boolean lattice is indeed a synchronism rule: (

^c¹^{^}^c²

)

^_^c¹

=

^P ^c¹

for every process

^P

. The same axiom holds for the process

^P

associated with Prg. And thus (

^c¹^{^}^c²

)

^_^c¹ ^P ^c¹

, since synchronism implies synchronisability. Therefore in the example,

^F⁰

is not empty and it can be concluded that

^P⁰

is consistent from the point of view of the constraints expressed on its clocks.

The rules of the lattice

represent synchronisability rules: each identity

f

1

=

^f²

, with

^f¹

,

^f²

boolean formulas on clocks, is equivalent to

^f¹

=

^P ^f²

which implies

^f¹^P ^f²

for every process

^P

. These rules can be further extended using the properties of the ane relations between clocks. Figure 5 illustrates this idea:

if

^P

is the process associated with the program SIGNAL', the conguration in which clocks

^c¹

and

^c²

coincide represent a ow

^F ²^P

such that

^c¹

=

^F ^c²

. Thus,

^c¹

and

^c²

are synchronisable in

^P

. The reason here is that the (9

^;

6

^;

9) and (7

^;

3

^;

7)- ane relations existing respectively between

^c

,

^c¹

and

^c

,

^c²

are equivalent. In the next section, we dene the ane relation associated with a ow and a process and further explicitate the concept of equivalence of ane relations.

3.2 Ane Relations in

^Signal

Given

^n;^d²

IIN

and

^'²⁶

Z xed, clocks

^c

and

^c¹

are in (

^n;^';^d

)-ane relation in

the ow

^F

|which is denoted

^c^R^F^(n;';d)^c¹

or (

^c;^c¹

)

²^R^F^(n;';d)

|if the relative

(14)

position of

^c

and

^c¹

in

^F

can be induced by an (

^n;^';^d

)-ane transformation as dened in Section 2.2.

Clocks

^c

and

^c¹

are in (

^n;^';^d

)-ane relation in process

^P

, denoted

c R P

(n;';d) c

1

or (

^c;^c¹

)

² ^R^P^(n;';d)

, if they are in (

^n;^';^d

)-ane relation in each ow

^F

of

^P

, i.e.

^c^R^F^(n;';d)^c¹

,

^8F ²^P

. Flows and processes are dened over the set of variables they manipulate. For a given set

^A

, a ow

^F

on

^A

is a member of the set of ows

^F^A

that can be constructed with the variables of

^A

. In a similar manner, a process

^P

on

^A

belongs to the set of processes on

^A

, i.e.

^P ² ^P^A

. Because of the nite nature of the sets of variables associated with ows and processes, ane relations can be dened as nite sets as follows:

8F 2F

A

;R F

(n;';d)

=

^f

(

^c;^c¹

)

²^A^A^j ^c^R^F^(n;';d)^c¹^g

(6)

8P 2F

A

;R P

(n;';d)

=

^f

(

^c;^c¹

)

²^A^A^j ^c^R^P^(n;';d)^c¹^g

(7) Consider the process

^P ²^P^fc;c1;c2g

dened as follows:

P

=

^fF ²^F^fc;c1;c2g ^j^c^R^F^(n1;'1;d1)^c¹^;^c^R^F^(n2;'2;d2)^c²^g

(8) (induced by a

^Signal

program that manipulates only the clocks

^c

,

^c¹

and

^c²

).

From the denition of an ane relation associated with a process it results

c R P

(n

1

;'

1

;d

1 )

c

1

and

^c^R^P⁽ⁿ2

;'

2

;d

2 )

c

2

. Clocks

^c¹

and

^c²

are synchronisable in

^P

if there exists

^F ² ^P

satisfying

^c¹

=

^F ^c²

. Consider

^F^s ² ^P

satisfying

^c¹ ^F

=

^s ^c²

. Obviously

^c ^R^F^(n1;'1;d1)^s ^c¹

and

^c^R^F^(n2;'2;d2)^s ^c²

. Being identical in

^F^s

, clocks

^c¹

and

^c²

can be replaced with each other and therefore

^c ^R^F^(n1;'1;d1)^s ^c¹

implies

c R F

s

(n1;'1;d1) c

2

and

^c^R^F^(n2;'2;d2)^s ^c²

implies

^c ^R^F^(n2;'2;d2)^s ^c¹

. It results therefore that

^R^Fs^(n1;'1;d1)

=

^R^Fs^(n2;'2;d2)

=

^f

(

^c;^c¹

)

^;

(

^c;^c²

)

^g

. In conclusion, a necessary con- dition for clocks

^c¹

and

^c²

to be synchronisable in

^P

is that

^R^Fs^(n1;'1;d1)

and

R F

s

(n2;'2;d2)

be equivalent. In the case of the process

^P

dened by (8), it can be proved that this condition is also sucient.

The equivalence of ane relations depends on the closure properties of the space of ane relations with respect to the main operations that can be applied to it. These are either union, intersection or dierence induced by the homonym operations on clocks, or general operations on relations like inverse and com- position [15]. In the next section we propose a study of these properties in the semantical model of traces of